Desperately Needed: Internal Controls for Small Businesses and Nonprofits

by Gregory S. Dowell

Having a great idea or a passionate cause is where most ventures start, but it takes much more than an idea or passion to bring about financial stability. Do you want to insure that your business or nonprofit has a great chance of surviving financially? Do you want your business or nonprofit to run efficiently and to have processes and policies in place that insure its fiscal security? Do you want to attract and retain good employees?

A September article by Sandi Matthews in CGMA titled “5 Steps to Strengthen Internal Controls at Small Businesses and Not-for-Profits” highlighted 5 areas that small businesses and nonprofits can concentrate on to make improvements to internal control. Much of our practice is spent dealing with the owners of small businesses and directors of nonprofit organizations, and we confirm that many small businesses and nonprofits often eschew good internal control practices and policies. Even though these are typically very intelligent and savvy executives and they know that there is value in maintaining good controls, they often perceive that there is a lack of time and resources to implement good internal controls. In some cases, they perceive a lack of risk (“mycontroller/CFO/treasurer/bookkeeper/general manager would never steal” from me) or ultimate value (seen as a trade-off of the cost of controls compared to the perceived payoff) from maintaining good controls.

Ms. Matthews cites the latest report from the Association of Certified Fraud Examiners that notes that organizations with fewer than 100 employees are actually more vulnerable to fraud than other organizations. The median annual fraud loss of $82,000 for religious or charitable organizations is staggering. Perhaps even more important than the actual fraud loss to a church or charity is the negative public perception that follows such an event, and the risk that future donations suffer.

The five steps pointed out by Ms. Matthews come from the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) report titled “Internal Control – Integrated Framework”. These steps can be applied to any organization:

Set a strong internal tone – fraud is most effectively caught by internal controls, rather than by external parties, such as auditors. Management and the board should set clear and consistent examples for the entire organization.

Provide a formal system to report concerns, without fear of reprisal – out of all the tools to find fraud, tips from insiders are the most effective at rooting out fraud, so the goal is to make it as easy as possible for that information to flow through the correct channels. Employee manuals should be updated to include reporting process, new hires should be purposefully exposed, and a formal whistle-blowing policy should be enacted. Importantly, these policies and processes should also be reviewed and discussed openly with all employees periodically.

Be attuned to happenings in the organization – management should listen and be aware of pressures that could possibly compromise an employee’s decision-making. Some of these pressures could include unrealistic or aggressive growth goals, poorly designed or monitored incentive compensation plans, or unbalanced workloads.

Focus on open communications – in addition to creating a more positive work environment, building relationships and trust in an organization will foster good communication, which will create an environment that will more easily spot fraud. Be sure to listen to feedback raised by employees when implementing checks and balances, and be sure to explain the business rationale for the process in a way that is non-threatening.

Consistently enforce policies to promote fairness – regular discussions and training for new employees should be held regarding company policies. References and background checks should be considered before bringing on new employees, particularly for those who will be involved with sensitive accounting or personnel functions. Segregation of duties and checks and balances should be adhered to and respected. Most computer systems will provide access logs and reports, which should be periodically reviewed. If policies are unwritten, take the time to document the essence of those policies, perhaps in bullet-point format.

The five points above are intended to be broad so that they can be adapted to any organization. From our experience, we stress that adopting these five steps is not the goal; rather, implementing the five steps is the goal. Implementation means that these are institutionalized, discussed periodically, and become part of the fabric of the organization.